php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #37745 Include exec_dir patch in PHP distribution
Submitted: 2006-06-08 13:28 UTC Modified: 2017-07-25 00:26 UTC
Votes:19
Avg. Score:5.0 ± 0.0
Reproduced:15 of 15 (100.0%)
Same Version:7 (46.7%)
Same OS:6 (40.0%)
From: phpbugs at aa-works dot de Assigned:
Status: Wont fix Package: Program Execution
PHP Version: 5.1.4 OS: n/a
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpbugs at aa-works dot de
New email:
PHP Version: OS:

 

 [2006-06-08 13:28 UTC] phpbugs at aa-works dot de
Description:
------------
PHP allows to be configured to only execute programs (with exec() type of functions) which are contained in a certain directory while running in safe mode.
There is no such configuration option for PHP not running in safe mode in the main PHP distribution but a patch to add that feature exists:
http://kyberdigi.cz/projects/execdir/english.html

Reproduce code:
---------------
n/a

Expected result:
----------------
exec_dir configuration directive being available

Actual result:
--------------
it isn't yet

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-20 12:54 UTC] php at cabillot dot eu
To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers from 
themselves ?
 [2016-12-30 23:47 UTC] cmb@php.net
-Package: Feature/Change Request +Package: Program Execution
 [2017-07-25 00:26 UTC] johannes@php.net
-Status: Open +Status: Wont fix
 [2017-07-25 00:26 UTC] johannes@php.net
We don't have safe_mode anymore.
 [2017-07-25 05:46 UTC] spam2 at rhsoft dot net
by list exec() and friends in disabled_functions like everybody qualified to host customers did the last 15 years - allowing whatever binary outside php to get called while talking about folder restrictions is naive - once that thing is started it can call exec() itself and is no longer bound to any php restrictions and that is why safe_mode was dumb from the begin especially that it enforced files to be write able by the Webserver 

others have a chrooted httpd instance per customer on a different port than 80 and a common reverse proxy in front and these days you have containers and virtualization too
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 21:01:28 2024 UTC